Threat actors continue to launch cyber attacks on organizations around the world. This week’s headlines cover some of these, among other cyber news.
If You Have The SoSafe App, Then This Should Interest You
Pakistan-based threat actors running the GravityRAT remote access trojan have recently developed a chat application called SoSafe chat which spreads malware under the disguise of a ‘safe messaging platform.’ Cybersecurity experts say that the malware is currently targeting high-profile individuals from India. Although the download link and registration for this malicious site remain un-operational, it is very much online.
Apparently, the adversaries circulated malvertising campaigns via chats and social media posts on the SoSafe site. The malware seeks 42 user permissions, and the hackers were able to get 13 of these to perform actions like procuring users’ location, reading mobile data, etc. Reportedly, the earlier versions of GravityRAT targeted Windows machines, and the current version is targeting mobile devices. To ensure ransomware protection, users should refrain from downloading random apps, especially from third-party sources.
Threat Intelligence Firm Cymru Acquires Threat Surface Management Firm Amplicy
Cymru is a threat hunting firm providing detailed intelligence on the different types of malware and threats circulating on the dark web. Amplicy, on the other hand, is a threat surface management firm that provides a detailed analysis of a network’s vulnerability to threat. These two cybersecurity players have recently come together to work on their shared vision of creating safe cyberspace for all. Cymru acquired Amplicy and hopes to better inform and prepare its clients against possible threats and possible vulnerabilities that threat actors could exploit.
With two such essential cybersecurity services available on one platform, users will be better able to identify and protect themselves against cyberattacks. Team Cymru frequently expands its data lake of security information, and this acquisition is likely to play a significant role in amplifying Cymru’s work and position among email security vendors.
Amplicy comes with real-time Internet asset discovery. Cymru can use that to conduct real-time third-party infrastructure analysis, thereby empowering its clients and eliminating the threat from blind spots in their network. Overall, this acquisition aims to provide organizations with a broader view of the cyber risks they might encounter and prepares them to evade these risks.
Cyberattacks Targeting New Zealand Are Increasing: NCSC
The National Cyber Security Centre (NCSC), New Zealand, recently revealed in its annual report that there had been a 15% increase in the number of cyberattacks against the country’s national organizations. While 352 attacks were recorded the previous year, the period from 1st July 2020 to 30th June 2021 saw over 400 attack attempts. What’s more alarming is that the proportion of hackers making it to the post-compromise stage where they can access and move through networks has doubled from 15% to 33%.
NCSC mentions that exploiting vulnerabilities in public-facing applications and identification via automated scanning were the most frequently seen attack techniques. One of the reasons for the increase in cyberattacks, pointed out by NCSC, is that the adversaries were too quick to exploit software flaws. No matter how skilled the cyber risk management team was, the attackers managed to exploit a zero-day within a day of its public disclosure. The NCSC further notes that phishing is no longer the most commonly used attack mode. More and more organizations are getting their employees trained in cybersecurity and identifying and handling phishing emails. NCSC also mentions that financially motivated cyberattacks outnumber state-sponsored ones.
High Severity Flaw Detected in Netgear’s SOHO Devices
Several small office/home office (SOHO) devices of Netgear were vulnerable to a code execution flaw until recently. Netgear has recently released a patch for the high severity vulnerability dubbed CVE-2021-34991, which has a CVSS score of 8.8. The flaw was found in SOHO devices’ Universal Plug-and-Play (UPnP) upnpd daemon functions and could be exploited on the local area network (LAN) for remote code execution. The UPnP function essentially helps in handling unauthenticated HTTP (un) subscribe requests from clients.
Cybersecurity researchers at GRIMM detected the vulnerability and mentioned what makes the exploitation of this stack overflow critical. A range of SOHO devices, including routers, modems, and WiFi range extenders, were affected by this vulnerability. For a detailed list of affected devices, users are advised to visit the Netgear website. Netgear is currently working on strengthening its cybersecurity tools and has already released patches for the vulnerability in several devices.
New Research Reveals Interesting Facts About Cloud Security in K-12 School Districts
A new study by EdWeek Research Center reveals that American K-12 school districts are vulnerable to cloud-based data breaches. Cyber-attacks are targeting data in cloud applications, according to new research. An online survey was administered to around 214 district-level administrators between 14th July to 15th September to know about their cybersecurity strategies. The precise division of survey takers shows participation from 52 district superintendents, 54 technology officers, and 30 curriculum and instruction directors.
While 30% of K-12 school districts did not have access to cloud security platforms, 50% were either unaware of the implementation of cloud security platforms in the district or didn’t have one.
Around 31% of the respondents were clueless about the consistency and efficiency of their cloud security measures. This lack of awareness of the district’s cybersecurity measures was accompanied by an interest in implementing cloud-based learning management systems (LMS) in around 86% of the respondents. When asked about their cybersecurity sanctions, district administrators revealed that they have a budget of approximately $20,000 annually and 20% of that is to be directed towards protecting cloud applications from 2022.
RedCurl is Back With Attacks
The RedCurl hacker group, which was exposed in August last year, is back with its notorious schemes. The hacker group is now conducting new intrusions with over four companies as its victims this year. Cybersecurity firm Group-IB found that two Russian companies along with two other unidentified companies were targeted by RedCurl this year. If we look at this attack history, the evil group has completed over 30 attacks since 2018 with victims across nations like the UK, Canada, Russia, Germany, Ukraine, and Norway.
Group-IB investigations reveal that RedCurl members consist of Russians engaged in commercial and employee data theft from world companies and corporate espionage. Interestingly, the hacker group has not altered its intrusion tactics, which means that one may be able to predict their moves and ensure ransomware protection.